University Risk Management Policy

Transcription

1 Preamble University Risk Management Policy Approving Authority: Board of Governors Original Approval Date: June 7, 2007 Date of Most Recent Review/Revision: October 20, 2017 Responsible Officer: Vice-President (Finance, Administration and Risk) Responsible Office: Vice-President (Finance, Administration and Risk) Risk is inherent in all academic, administrative and business activities at the University of Guelph ( the University ) and to varying degrees, members of the University community are continuously involved in managing these Risks. In order to respond most effectively as an institution, the University employs an enterprise approach to Risk management. The University Risk Management Policy outlines this approach. The University s approach to Risk, adopted for the purpose of University Risk Management (URM), is as follows: The University is committed to continuous quality improvement and will make choices that assess the opportunities and threats inherent in that commitment 1. The University seeks to foster a culture that is Risk-aware without being Risk-averse, pursuing opportunities that further strategic and operational priorities, while effectively managing Risk. It is recognized that virtually all activities carry a degree of uncertainty and require the University to strike an appropriate balance between managing Risks and pursuing strategic opportunities. University Risk Management is an important factor for the setting of priorities and strategic decisionmaking in the best interests of the University, as it facilitates the identification of potential Risks and opportunities that may significantly impact the ability of the institution to achieve its strategic goals or maintain its operations. 1. Purpose 1.1. The University is committed to thoughtful consideration and integration of Risk in decisionmaking. This policy outlines the University s approach to risk management, in support of its strategic goals and objectives The University Risk Management policy does not replace but complements other university internal controls and is the foundation of the Risk management framework to be implemented at the University. 2. Jurisdiction/Scope 2.1. This policy applies to all administrative and academic units of the University and to all faculty and staff. 1 University of Guelph Strategic Risk Assessment, KPMG 2006

2 3. Definitions 3.1. Risk: Any event or action that may adversely affect the University s ability to achieve its strategic and operational priorities Inherent Risk: Risk in the absence of any controls, actions or Risk mitigation to alter either the Risk s likelihood or impact Residual Risk: The remaining level of Risk after taking into consideration controls, actions and Risk mitigation measures intended to minimize either the Risk s likelihood or impact Risk Appetite: The level of Risk the University is willing to accept in order to meet its strategic objectives Risk Management: The planned and systematic approach to the identification, evaluation and control of Risk to maximize opportunities and minimize losses Risk Tolerance: The willingness to accept or reject a given level of residual Risk aligned with the overall risk appetite Risk Treatment: The process of selecting and implementing measures to manage the Risk exposure through avoidance, reduction, transfer/sharing, or acceptance University Risk Management (URM): Includes the methods and processes used to manage Risk and opportunities related to the achievement of the University s objectives. 4. University Risk Management 4.1. The University will support a deliberative approach to Risk assessment and treatment to avoid, mitigate or manage Risks in support of University activities and strategic and operational priorities. At the institutional level, the University s senior leadership determines the appropriate level of acceptable Risk based on a balanced view of the Risk, considering both the threat of adverse impacts, and the opportunities that arise from properly managed Risk. (See also s.5 of this policy.) 4.2. An objective of the URM program is effective management of a balanced portfolio of institutional Risks, which fall within the following five areas 2 : 2 Adapted from Meeting the Challenges of Enterprise Risk Management in Higher Education, Association of Governing Boards of Universities and Colleges, 2007

3 Strategic Operational Financial/ Reporting Compliance Reputational Risks that are aligned with and support the University s mission, vision and strategic directions Risks that are associated with on-going management processes, including those related to business continuity Risks associated with sound financial practices, protection of the University s assets and reliability of reporting Risks associated with institutional compliance with applicable legislation and regulations Risks that may be triggered by a serious event in any category 4.3. As an additional level of consideration, the following categories are used to assess the types of risks identified 3. These categories assist in determining Risk treatment options: Category I: Preventable Risks Category II: Strategic Risks Category III: External Risks Risks which arise from within the University that are controllable and should be eliminated or avoided; offer no strategic benefit; are managed through active prevention and monitoring operational processes Risks which are strategic and associated with innovations or new opportunities; not inherently undesirable but requiring management systems designed to reduce the probability that assumed Risks materialize, or by advancing the ability to manage or contain risks should they occur. Risks which arise from events outside the University and are beyond its influence or control; managed through identification of Risk and mitigation of impact The University Risk Management process is designed to: a. Map to the University s Strategic Framework and planning, and integrate Risk management into the culture of the institution b. Assess Risks and opportunities against the University s level of Risk tolerance c. Anticipate and respond to social, environmental and legislative conditions d. Manage Risk according to best practice and demonstrated due diligence in decisionmaking e. Document the framework within which Risk is managed at the University f. Foster a culture of identifying, assessing and mitigating Risks 4.5. The University Risk Management approach is outlined in Figure 1 and in the University s Risk Management Framework 4. The process is continuous and should be applied at all levels of the institution (i.e. at the University level as well as individual academic and administrative units). 3 Adapted from Managing Risks: A New Framework, Kaplan, R. & Mikes, A., Harvard Business Review, June In development (as of October 2017)

4 Figure 1 - The Risk Management Process (ISO 30001) 5. Roles and Responsibilities 5.1. The University utilizes a three lines of defence governance model to manage its Risks and identify those individuals or functions responsible for Risk ownership, Risk oversight and Risk assurance. The President and Vice-Presidents and the University Risk Management Committee, along with the Board of Governors, provide oversight and support to the Risk program and the three lines of defence First Line of Defence Risk Owners: a. All University employees have a role in the effective management of Risk within the context of their area responsibilities, including the identification and disclosure of potential or emerging Risks. b. Academic department and administrative unit managers are responsible for implementing good operational Risk management practices and maintaining appropriate internal controls that support the effective management of Risk. Effective Risk management requires timely recognition and disclosure of potential Risks and should be incorporated into departmental and unit planning processes and management activities.

5 5.3. Second Line of Defence Risk Oversight: University Risk Management Policy a. Various functional groups and committees at the University assist with defining Risk management practices and provide oversight to some of the activities undertaken within the academic and administrative units. Examples of the groups whose activities support this second line of defence include finance, legal, information technology security and human resources teams, and the Joint Health and Safety Committees. b. While the second line of defence is clearly defined for certain Risks, in other cases, the primary responsibility for Risk oversight resides within the academic department or administrative unit itself Third Line of Defence Risk Assurance: a. The activities of the University s internal audit function, and the external auditors provide assurance to management and the Board of Governors on the effectiveness of the risk management practices Executive and University Risk Management Committee Support and Oversight: a. The President and Vice-Presidents are responsible for embedding Risk management within the strategic and operational management processes of the University. This includes: (i) identification of strategic Risks impacting the University; (ii) determining priorities; (iii) assessing Risk tolerance; (iv) developing strategic Risk management plans; and (v), monitoring progress and implementation of plans. b. The Vice-President (Finance, Administration and Risk) serves as the Chief Risk Officer for the University and has specific accountability for the coordination and implementation of URM activities, procedures and reporting. The Vice-President (Finance, Administration and Risk) will report to the Audit and Risk Committee at least once annually on the execution of URM activity at the University. c. The University Risk Management Committee (URMC) provides advice and recommendations to the Vice-President (Finance, Administration and Risk) as follows: i. Oversees the formulation of URM strategy and policy ii. Reviews and advises on the University s Risk Register, including recommendations on emerging Risks and changes to the University s Risk environment iii. Advises on, and recommends initiatives to manage identified threats and opportunities iv. Ensures appropriate and effective related communication

6 d. Membership of the URMC shall be appointed by the Vice-President (Finance, Administration and Risk), who will chair the Committee, and include those responsible for major operational functions of the University Board of Governors Oversight: a. The Board of Governors and its Audit and Risk Committee are responsible for support and oversight of the implementation of the URM process, including approval of the Risk appetite statement and assessment of the Risk program against the Risk appetite. 6. Related Policies, Procedures & Documents University Risk Management Framework [In Development, Fall 2017] University of Guelph Risk Register Board of Governors Audit and Risk Committee Terms of Reference N:\Policy\University Policies\Risk Management\Policy\University Risk Management Policy_FINAL_ docx